CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160)
This commit is contained in:
Josh Boyer
parent
8b6be20d05
commit
45bb62e168
@ -591,6 +591,9 @@ Patch511: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
|
||||
#rhbz 1282706
|
||||
Patch512: 0001-cgroup-make-css_set-pin-its-css-s-to-avoid-use-afer-.patch
|
||||
|
||||
#CVE-2015-7833 rhbz 1270158 1270160
|
||||
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2034,6 +2037,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160)
|
||||
|
||||
* Tue Dec 01 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc3.git1.1
|
||||
- Linux v4.4-rc3-5-g2255702
|
||||
- Reenable debugging options.
|
||||
|
||||
49
usbvision-fix-crash-on-detecting-device-with-invalid.patch
Normal file
49
usbvision-fix-crash-on-detecting-device-with-invalid.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 2ea39fc263c6a7589e15edb7d2d1c89fa569be53 Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Mon, 16 Nov 2015 15:55:11 -0200
|
||||
Subject: [PATCH] usbvision: fix crash on detecting device with invalid
|
||||
configuration
|
||||
|
||||
The usbvision driver crashes when a specially crafted usb device with invalid
|
||||
number of interfaces or endpoints is detected. This fix adds checks that the
|
||||
device has proper configuration expected by the driver.
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
|
||||
index b693206f66dd..d1dc1a198e3e 100644
|
||||
--- a/drivers/media/usb/usbvision/usbvision-video.c
|
||||
+++ b/drivers/media/usb/usbvision/usbvision-video.c
|
||||
@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_interface *intf,
|
||||
|
||||
if (usbvision_device_data[model].interface >= 0)
|
||||
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
|
||||
- else
|
||||
+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
|
||||
interface = &dev->actconfig->interface[ifnum]->altsetting[0];
|
||||
+ else {
|
||||
+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
|
||||
+ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
|
||||
+ ret = -ENODEV;
|
||||
+ goto err_usb;
|
||||
+ }
|
||||
+
|
||||
+ if (interface->desc.bNumEndpoints < 2) {
|
||||
+ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
|
||||
+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
|
||||
+ ret = -ENODEV;
|
||||
+ goto err_usb;
|
||||
+ }
|
||||
endpoint = &interface->endpoint[1].desc;
|
||||
+
|
||||
if (!usb_endpoint_xfer_isoc(endpoint)) {
|
||||
dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
|
||||
__func__, ifnum);
|
||||
--
|
||||
2.5.0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user